Don't ever generate sql statements from strings, you're leaving yourself vuln...

[Comment from a deleted post]

Don't ever generate sql statements from strings, you're leaving yourself vulnerable to sql injection. Use parameterized queries.